Authors: Brian Krebs
Tags: #Political Science, #Security (National & International), #Business & Economics, #Industries, #Computers & Information Technology, #Pharmaceutical & Biotechnology
As Dmitry Samosseiko, a security expert with SophosLabs Canada, noted in his seminal paper, “The Partnerka—What Is It, and Why Should You Care?”, all partnerkas are in strong competition with each other.
“Allegiance is earned through more generous commission rates, shorter ‘hold’ periods, support for a wider range of payment systems, higher quality promotional material, better support, etc.,” Samosseiko wrote. Partnerkas typically place a one- to two-week hold on paying affiliate commissions to hedge against the possibility of having to pay all affiliates at the same time and to ensure that affiliates do not receive commissions for sales later reversed by credit card processors.
Samosseiko said partnerkas frequently use competitions and other gimmicks to attract more affiliates (spammers). “Many organize expensive parties for their members, send generous gifts for holidays, run lotteries where a top producer wins a luxury car, and the list goes on,” he wrote.
These incentives also drive up the amount of email spam we receive. For example, in 2008, Stupin and Gusev—the founders and administrators of GlavMed and SpamIt—decided to sponsor a competition among their top spammers, with hefty cash prizes going to those adverts whose spam generated the greatest number of sales. Each participant was given a list with approximately 20,000 email addresses, and the contest began on July 4, 2008, Independence Day in the United States.
The first three finishers were awarded prizes of $1,000 to $3,000, and were bestowed with “Master of Inbox” status on Spamdot.biz,
an exclusive forum owned by the SpamIt administrators. (The winner of that competition, a hacker nicknamed “Engel,” was the Russian man allegedly behind the “Festi” spam botnet, an extremely virulent and powerful spam-spewing machine, as detailed in
Chapter 7
. Incidentally, Engel and his botnet would eventually catapult Vrublevsky and himself toward a dangerous collision with the law, as we’ll see in
Chapter 12
.)
In their seminal paper, “PharmaLeaks: Understanding the Business of Online Pharmaceutical Affiliate Programs,” researchers at the University of California, San Diego (UCSD), the International Computer Science Institute, and George Mason University examined caches of data tracking the day-to-day finances of GlavMed, SpamIt, and Rx-Promotion, which collectively over a four-year period processed more than $170 million worth of orders from customers seeking cheaper, more accessible, and more discreetly available drugs.
The result is perhaps the most detailed analysis yet of the business case for the malicious software and spam epidemics that persist to this day. The researchers concluded that spam—and all of its attendant ills—will remain a prevalent and pestilent problem because consumer demand for the products most frequently advertised through junk email remains constant.
“The market for spam-advertised drugs is not even close to being saturated,” said UCSD professor Stefan Savage. “The number of new customers these programs got each day explains why people spam. Because sending spam to everyone on the planet gets you new customers on an ongoing basis, so it’s not going away.”
Affiliates understand this deeply, and like regional drug dealers who stake out huge swaths of online territory, they frequently squabble with one another out of jealousy or animosity, or in retribution for some perceived slight. These virtual turf wars can quickly become quite ugly and expensive for all involved. This is especially true when disputes break out between competing partnerkas, because most of the
top affiliates are big-time spammers with extremely powerful botnets at their disposal.
Such disputes also are expensive because of the opportunity costs involved. The crippling attacks are carried out via botnets, by diverting resources that normally are used to send spam so that they instead send junk Internet traffic until the targeted website is overwhelmed and can no longer accommodate legitimate visitors (that is, potential buyers).
In their “PharmaLeaks” paper, the UCSD researchers discovered that just 10 percent of the highest-earning affiliates accounted for 75 to 90 percent of total program revenue across all three affiliate programs.
“Undermining the activities of just a handful of affiliates would have considerable effect on a program’s bottom line,” the researchers wrote.
The shadowy bosses at the head of various partnerka programs identified this weakness as an existential problem early on. To remedy it, the crime bosses sought to establish a virtual cartel for online pharmacy partnerkas that was designed to prevent inter-partnerka disputes, price wars, and affiliates stampeding from one pharmacy program to the next at a moment’s notice. The partnerka bosses believed that such a deal would reduce overhead costs and episodic dips in overall spam volumes, and ultimately ensure a more consistent flow of junk email into inboxes everywhere.
To facilitate this, on September 4, 2007, Dmitry Stupin told his partner Igor Gusev that he would like to see SpamIt and GlavMed enter into a pharmacy cartel with other partnerka programs. A week later, Gusev arranged a meeting to discuss the idea with Leonid Kuvayev, a convicted spammer who was coadministrator of Rx-Partners, a competing pharmacy spam program.
Around that same time, Pavel Vrublevsky was reportedly setting up his own rogue pharmacy operation—Rx-Promotion—in conjunction with a coworker and longtime friend, Yuri “Hellman” Kabayenkov. Vrublevsky denies playing an active role in Rx-Promotion, but according to emails
leaked from ChronoPay, Vrublevsky had a meeting with Rx-Partners’ Leo Kuvayev and Kuvayev’s partner—Vladislav Khokholkov—to discuss Rx-Promotion’s participation in the still nascent cartel. In the leaked emails, Vrublevsky claims to have declined participating in the cartel, but said that Mailien, SpamIt, and another large program—EvaPharmacy—had agreed to set price controls on drugs and to cap affiliate commissions at 40 percent.
Chat logs that Russian investigators eventually seized from Stupin’s computer suggest that the cartel worked assiduously to win over EvaPharmacy. Below is a transcript of a chat between Stupin and representatives of Eva (also known as “Bulker.biz”). Their chat has been translated from Russian into English.
STUPIN
: I don’t like the conditions we give to adverts. Some of them demand 45 percent. We suffer from it because of low prices, plus some of them are asking to lower hold to one week. I want to straighten them up and pay more to myself than to them ;) We do not offer less than two-week hold to anyone. Simply because of delays in payments from Shaman and the islands (off-shore), our account balances are going down.
9
I am not asking you about anything, just saying that you also can set a minimum hold to two weeks and then adverts will not have a choice, because we will offer similar conditions. I also think that it is going to be easier for you to pay with the hold time than without it, because if adverts raise production, you need to keep too much cash in banks. In summary, my utopia is a cartel agreement to lower advert
commissions to 30 to 35 percent, similar to the payoffs of Western affiliation programs.
BULKER.BIZ
: We also have two weeks of hold. However, we do exclude our best adverts [from that restriction]. You forced a lot of our adverts to switch to you by lowering your prices. Therefore, we have no other choice ;) To have an agreement is a great idea, yet for it to work, it needs to include Mailien and others. Otherwise, spammers will continue to run to them. Surely, 45 percent is just outrageous! The partnerka earns three times less because of that!
STUPIN
: Yes, and the only argument for asking for 45 percent, is that Eva pays that much ;)
BULKER.BIZ
: Some people pay even 50 percent and are killing the market even more. I also want to say that I know which advert you are talking about. He does not have a hold at all, but it does not mean that he costs us the entire balance every day.
STUPIN
: I know, he told me everything.
BULKER.BIZ
: Listen, we are willing to strike an agreement and to establish the same conditions with adverts, but only after we test new suppliers and are able to lower our prices to match or to be close to yours, only when our competitive conditions are similar.
According to Vishnevsky, who was active in the development of the Cutwail botnet, the findings by the UCSD researchers show that about
a handful of affiliates generating the bulk of the revenue for partnerka programs are accurate. Vishnevsky said very few affiliates who did not already own significant spamming resources could expect to make much money because of the costs involved in creating those.
The most expensive part of any spamming operation is the process of procuring the bots used to relay junk email. Almost without exception, the top-earning affiliates ran their own very large botnets, crime machines that they used to send their own spam and that were rented out to other affiliates.
Vishnevsky said affiliates who rent botnet resources from other spammers frequently do so by purchasing “installs,” or seeding a prearranged number of bots with an additional malicious program that sends spam for the affiliate. Affiliates who rent bots from fellow affiliates often will pay for those resources by simply diverting a share of their commissions on each sale from spam generated by the rented bots. Very often, Vishnevsky said, botmasters would demand up to 50 percent of an affiliate customer’s commissions.
But a proper spam-spewing network consists of much more than just bots. If we compare a spam network to a factory, the bots can be thought of as the machinery responsible for assembling the component parts of the product for sale. And a spam botnet is only as effective as the software that directs the day-to-day activities of that machinery. Modern PCs are extremely powerful systems, but they can quickly become overwhelmed if too many operations are demanded of them simultaneously. Decent spam software distributes the workload across thousands of infected machines, ensuring that individual PCs aren’t being overpowered by more work than they can handle.
At the same time, good spam software is responsible for keeping track of how many emails were successfully delivered and how many recipients clicked through to the advertised site. The software also is expected to automatically delete or “scrub” from spam lists any email addresses that are no longer active or that refuse to accept incoming
email. Spammers often “spoof” or fake the address in the “From:” section of a junk email, and when spam messages are sent to inactive inboxes, the messages frequently bounce back not to the spammers but to the unwitting person whose email address was used to spoof the email’s origin! (No doubt you may have been on the receiving end of one of these from a friend, colleague, or relative whose email account was hacked or spoofed.) Emails that bounce like this prompt confused and concerned Internet users to complain to their Internet or email providers, or both, which in turn may enact more stringent measures to block such wayward messages in the future.
Finally, an affiliate who doesn’t already have decent email lists will have to buy them from someone else, if he cannot write his own program to continuously harvest new email addresses from random websites.
According to Vishnevsky, an affiliate can expect to spend 20 to 30 percent of his income on renting software and email lists.
“It should not be surprising that most spammers do not make much money if they have to rent all of these things,” he said.
It’s impossible to say how much organizations worldwide spend fighting junk email sent by the likes of affiliates of Rx-Promotion, GlavMed, and SpamIt, but it is almost certainly many, many times more than the profits eked out by the administrators and founders of those programs.
What’s mind-boggling is that when the UCSD researchers calculated the direct and indirect costs of these programs during an eleven-month period between May 2009 and April 2010, they found that the net profit for these programs was about 20 percent of gross revenue.
“What’s fascinating about all this is that at the end of the day, we’re not talking about all that much money,” said UCSD’s Savage. “These guys running the pharma programs are not Donald Trumps, yet their activity is going to have real and substantial financial impact on the day-to-day lives of tens of millions of people. In other words, for these guys to make modest riches, we need a multibillion-dollar security industry to deal with them.”
Savage and his research team also had a chance to review many of the leaked chats between Gusev and his business partner Stupin, and said the conversations were replete with examples of how these guys were constantly looking for ways to add value to their consumer offerings. Guys like the SpamIt administrators succeeded because they understood their core market: selling discreetly delivered and affordable products—from online porn to penis pills—that many adults would be ashamed to buy otherwise.
At one point, the chats show that Stupin and Gusev considered using their spam infrastructure to promote a far more questionable consumer product: penis-extending devices.
“This is by far the funniest conversation in the whole collection,” Savage recalled. “It’s basically Gusev fighting with Stupin over whether or not they should add penis-extender devices to their online shops. Gusev is totally into the idea. He’s like, ‘Yeah, Americans really want to add inches,’ but Stupin is unconvinced. And that’s the thing I try to explain to people [based on] all of our research into this bizarre underground economy.
“The pharma and spam guys don’t fundamentally think of themselves as criminals at all. I think their mental model is that they’re selling a quality product to an audience that is demanding it. Yes, there may be some laws in their way, but those laws are tools of a Western power structure and bourgeoise intellectual-property bullcrap, and it’s just The Man getting in the way of their marketplace.”
♦ ♦ ♦
If Savage is correct—that partnerkas represent “disorganized cybercrime”—then the role of creating and maintaining order from all of this criminal chaos falls to the cybercrime forums. These are online communities where most spammers, scammers, and fraudsters meet, transact, earn, and maintain a “trustworthy” reputation in the underground.